EU telco/ISP/CSP data retention rules ruled invalid

European Union data communications storage legislation has entered a period of limbo, following the European Court of Justice ruling this week that the requirement to store citizen's data for up to two years is invalid.

The EU Data Retention Directive - which became law across the EU in 2006 - requires telcos and CSPs (Communications Service Providers) to store data on people's communication interactions for two years. This allows law enforcement agencies and other interested parties - subject to court orders being required - to monitor someone's identity, the time of their communication, the location where the communication took place and the frequency of the communications.

This data has been instrumental in a number of high profile terrorist and criminal court cases, but is also used by the Police and the CPS to add weight to their evidence in a wide variety of serious, but more routine, crimes.

Following complaints from Austrian and Irish entities, the European Court of Justice has declared the 2006 law to be invalid, on the basis that it violates two basic human rights: the respect for citizen's private lives and the protection of their personal data.

The European Commission is now hard at work drafting a new data protection law.

CSPs and telcos in the UK have told the Home Office they will continue to maintain their two-year collation of customer data - but have requested urgent clarification from the UK government and the EU. The Internet Service Providers Association has said its members will continue to operate as if the EU data retention obligations are still in place.

The ruling comes amidst reports that the police and spy agencies in the UK are filing around 140 requests a day for access to telco and CSP records - a fact that Sir Anthony May, The UK's Surveillance watchdog is currently investigating.

The British government is widely reported to be privately upset at the EU ruling, although publicly it must acknowledge the EU legal hierarchy.

Commenting on the data retention legal limbo imposed on UK telcos and CSPs, Steve Smith, Managing Director of Pentura, a security consultancy, said that the key point with this ruling is the protection of personal data.

"Customers expect their information to be protected against the risks of hacking, theft and surveillance, which means having a set of enforceable security standards that companies need to show they comply with," he explained.

Digital forensics specialist Professor Peter Sommer - who is often involved in preparing, analysing and presenting IT evidence in court - took a different view, saying that there are potentially major problems ahead for the law enforcement, intelligence and security agencies, as well as telcos, ISPs and the Home Office.

"In the UK, the retention of communications data - who called whom and when, mobile phone locations whenever the phone is powered up, email transactions and Web sites visited - is based not only on primary legislation but on a statutory instrument which itself relies on a EU Directive now stated to be invalid," he said, adding that there has never been a situation like this.

"A gloomy analysis would say: for ISPs and telcos they can now only retain such data as they need for their own business purposes - the Data Protection Act (DPA) criteria – and not all the extra stuff the Data Retention regime requires," he explained.

Professor Sommer - a visiting Professor with de Montfort University - went on to say that the ISPs and telcos should now be destroying anything outside the DPA requests.

The ruling, he says, may also affect old cases, where individuals convicted on evidence from communications data could appeal on the basis that the evidence was illegally obtained.

Against this backdrop, Professor Sommer adds that any law revision will not be easy.

"The judgement allows for targeted data preservation orders - for law enforcement to order the retention of data in respect of specific individuals and against the future possibility that they will demand access when there are sufficient grounds," he said.

"But what will then be the tests for the targeted preservation order - friends and families of actual suspects, individuals themselves peaceful and law abiding but in protest groups where others might possibly resort to unlawful means," he added.

"I do hope the Home Office - who should have been watching the progress of this EU litigation - have properly thought-out contingency plans."

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.